Fast handoff in communication networks is important for real-time applications such as, for instance, streaming video and other multimedia applications, audio, etc., so that the transmission of data is not interrupted. However, the authentication process can be a major factor contributing to communication disruption during handoff in a mobile wireless communication network such as, for instance, in a wireless local area network (WLAN) because authentication, generally, must be successfully completed prior to handoff. Authentication is the process of proving someone's or something's claimed identity and usually involves challenging a person or an entity to prove that he or it has physical possession of something or that he or it has knowledge of something. Authentication protocols define the message flows by which this challenge and response are sent and received by the parties being authenticated.
FIG. 1 illustrates a mobile wireless network 100, in this instance a WLAN network, having two authenticating entities or devices, which are in this illustration access points (AP) 10 and 20. APs 10 and 20 may provide access to an underlying network that may be implemented, for instance, as a wired network or as a mesh network having fixed access points. APs 10 and 20 may be, for instance, base stations. In this illustration, AP 10 provides access to a first subnet having a first coverage area, and AP 20 provides access to a second subnet having a second coverage area. The first and second coverage areas may or may not be overlapping.
FIG. 1 only shows two APs servicing two coverage areas for the purpose of ease of illustration. However, it should be understood by those of ordinary skill in the art that a WLAN network may be designed with any number of access points servicing a plurality of coverage areas. FIG. 1 also illustrates access points being the authenticating entities. However, those of ordinary skill in the art will realize that the type authenticating entity is dependant upon the layer (e.g., link, network, applications, etc.) at which authentication occurs.
As shown in FIG. 1, a mobile node 30 may roam from the first coverage area to the second coverage (as illustrated by the dashed arrow). Mobile node 30 may be, for instance, a laptop computer, a personal digital assistant, or any other suitable device. It is assumed for purposes of this example that while in the first coverage area mobile node 30 had access to the WLAN as a result of a successful authentication process with AP 10. During this authentication process, mobile node 30 was verified or identified as being authorized to have access to the WLAN resources. Moreover, if mutual authentication was performed (as it generally is in highly secure systems), AP 10 was also verified as a legitimate access point for providing access to the WLAN resources, to prevent rogue access points from gaining access to the WLAN resources. In addition, the authentication process would generally result in a shared secret being obtained or established between mobile node 30 and AP 10 for secure (e.g., encrypted) communications between the two.
In one embodiment, network 100 may be an 802.11 WLAN network, wherein mobile node 30 and APs 10 and 20 are configured to operate in accordance with the ANSI/IEEE (American National Standards Institute/Institute of Electrical and Electronics Engineers) 802.11 wireless LAN standards. Thus, APs 10 and 20 may be, for instance, 802.11 access points or base stations.
Today's 802.11 networks authenticate users according to the 802.1x standards. 802.1x specifies how to run the Extensible Authentication Protocol (EAP) directly over a link layer protocol. Among the EAP methods developed specifically for wireless networks are a family of methods based on the Transport Layer Security (TLS) protocol and public key certificates (also referred to in the art as certificate-based methods). These methods use the TLS public key certificate authentication mechanism within EAP to provide mutual authentication of client (e.g., mobile node 30) to server (e.g., AP 10) and server to client.
Typically the result of a successful authentication is the establishment of an AAA (authentication, authorization and accounting) state at the AP. The AAA state may include authorized service duration, authorization expiration time, quality of service (QoS) level, Security Association (SA), etc. The SA may include a shared secret such as a key, cryptographic algorithms, SA identity, etc., and is typically used for per-packet encryption and authentication. Without an SA between an AP and a MN, the secure connection cannot be resumed before the authentication process is completed. Without per-packet authentication, even if entity authentication is successful, attackers can still get in with spoofed or faked MAC addresses. Conversely, the AAA state enables packets to pass through only if they correctly apply the SA.
Although these certificate-based methods provide cryptographically strong authentication, there are some disadvantages to using these methods. For example, one key disadvantage is that these methods require complicated and expensive cryptographic algorithms or protocols that require a large number of sequential protocol exchanges (round trips) between the client and the server and resource intensive cryptographic computations to complete the authentication. Requiring a large number of protocol exchanges both lengthens the authentication delay for the user and uses more computing resources. This authentication delay is a particular problem for mobile users who must be re-authenticated when moving from one access point to another (e.g., when mobile node 30 moves from an old AP 10 to a new AP 20) and who require a seamless handoff so as not to disrupt ongoing communication sessions, for instance for public safety personnel. More specifically, certificate-based authentication can take seconds to complete, which can cause significant delay or interruption to voice, or other real-time traffic such as multi-media applications, for a mobile node that is constantly moving from one subnet to another.
There are a number of methods known in the art for addressing the effect on handoff due to authentication delay. Two such methods are inter-AP AAA context transfer and 802.1x pre-authentication. Inter-AP AAA context transfer involves transferring the AAA authorization state or shared secret information from one AP (the old AP) to another AP (the new AP) to avoid repeating the authentication process and to establish an AAA state at the new AP. 802.1x pre-authentication allows authentication to occur before association, as defined in the 802.11 wireless LAN standard, with the new AP and thus permits pre-authentication before handoff.
However, neither of the approaches completely solves the problem. More specifically, inter-AAA context transfer may fail in certain circumstances due to different capability or service support across APs, i.e., heterogeneous deployment (or incremental deployment that results in different capability support across APs). Pre-authentication can only be performed within a coverage area overlap between the old AP and the new AP. Thus, pre-authentication may not complete during the handoff if, for instance: there is no overlapping coverage area; the size of the overlapping coverage area is too small; or the mobile node moves too quickly through the overlapping coverage area.
Thus, there exists a need for a faster authentication process that may be used in both homogeneous and heterogeneous networks and that decreases the chance of a disruption in communication during handoff between access points. It is further desired that the authentication process be cryptographically strong, more cost efficient and use fewer computing resources.